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What’s new ?
PRODAFT Threat Intelligence (PTI) Team has obtained valuable insights on the
inner workings of the Conti ransomware group. The PTI team accessed Conti’s
infrastructure and identified the real IP addresses of the servers in question. This report
provides unprecedented detail into the way the Conti ransomware gang works, how
they select their targets, how many targets they’ve breached, and more.
Why does it matter ?
Ransomware attacks are increasing in severity and frequency, threatening major
institutions and placing enormous strain on supply chains that are already stretched
thin. Conti has shown itself to be a particularly ruthless group, indiscriminately
targeting hospitals, emergency service providers, and police dispatchers. This report
contains the latest and most accurate data available on one of the most dangerous
ransomware groups in existence.
Conti also earned a reputation for not delivering decryption keys even after
victims pay. However, simply telling companies not to pay isn’t enough to solve
the problem. Our mission is to equip executives, legal advisors, insurers and law
enforcement agents with intelligence and unique insights that help them understand
the threat, manage the risk more effectively, and find better practical solutions to
deal with its consequences.
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Introduction

Ransomware attacks work by encrypting the victim’s business-critical data, rendering it
inaccessible. After triggering the attack, cybercriminals will offer to sell a decryption key to
the victim. If the victim doesn’t comply, they simply have to accept the catastrophic loss of
their most valuable data.
Some ransomware attacks use a two-pronged strategy. Attackers will demand a ransom
payment for decrypting data, and threaten to publicly publish sensitive data if the ransom
is not paid by a certain deadline. (”Double Extortion”).
Ransomware has been in use for decades, but it has surged in popularity among
cybercriminals in recent years. Multiple factors contribute to this rise, including the
development of cryptocurrency that enables near-anonymous payments, the widespread
digitalization of sensitive data, and the release of sophisticated ransomware-as-a-service
criminal business models. Ransomware losses are likely to exceed $20 billion by the end of
2021 [4].
Ransomware can be separated into two basic groups :
Fully Automated Ransomware (FAR), and
Semi-Automated Ransomware (SAR)

•
•

In FAR cases, ransomware generally infects the system via phishing emails or malicious
web pages that contain the malicious payload. The malware contains the code to spread
throughout the network, identify sensitive files, encrypt them, and display a ransom note for
the victim. Threat actors who use FAR mostly focus on lightweight distribution channels that
are easily automated – they tend to stay away from making direct contact with victims. FAR
attacks do not typically succeed against enterprise-level organizations with a wide range
of detection and prevention tools. Victims of FAR attacks tend to be more cautious about
paying the ransom because the automated system doesn’t instill a great degree of trust. In
many cases, victims will ask to be transferred to a human representative, who will negotiate
on behalf of the cybercrime organization.
SAR attacks can be more sophisticated since they rely on manual interaction between
cybercriminals and their victims. In these cases, attackers may use zero-day exploits, or they
may rely on known vulnerabilities that haven’t yet been patched – even within hours of the
patch release. Our team has observed SAR attackers buying RDP or VPN credentials directly
from other hackers on underground markets. Upon successful entry, these attackers use
common penetration testing tools for lateral movement within the victim’s network. They
then escalate their privileges, start encrypting, and trigger the ransomware attack.
Modern cybercrime organizations use a hierarchical workflow to monetize operations.
The ”X-as-a-Service” model has become popular among criminals since each step of an
advanced attack kill chain requires different skills. This report will demonstrate how this
business model works and provide in-depth insight about the illicit economy it perpetuates.
These findings will help other researchers understand the working dynamics of other groups
that operate in the ransomware industry.
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The group this report focuses on is called ”Conti”, which appears to be identical with the
group known as ”Wizard Spider”. It is a criminal organization behind advanced ransomware
technologies known as Ryuk and Hermes. We won’t focus on sample analysis, as many
reputable sources already offer this kind of technical information. Instead, this report is the
first to presents findings regarding behind-the-scenes information on how the ransomware
group operates.
Enterprise leaders, cybersecurity executives, and risk advisors can use this report’s findings to
better prepare their organizations against ransomware attacks. Proactive threat intelligence
is key to identifying the factors that contribute to cybercrime trends and preventing threat
actors from exploiting enterprise vulnerabilities.
Please note that this report has two versions. The ”Private Release” is provided to law
enforcement agencies, applicable CERTS / CSIRTS, and members of our U.S.T.A. Threat
Intel Platform (with appropriate annotations and reductions). Likewise, the ”Public
Release” is publicly disseminated for the purpose of advancing global fight against
high-end threat actors and APTs.
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2

Executive Summary

2.1

Overview
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Conti ransomware frequently makes headlines due to the high-profile organizations it
often targets, as well as the high ransoms its negotiators demand. The PTI Team noticed a
surge in Conti attacks and started analyzing the group in September 2021. Our team detected
a vulnerability in the recovery servers that Conti uses, and leveraged that vulnerability to
discover the real IP addresses of the hidden service hosting the group’s recovery website.
This report presents valuable data about the inner workings of the semi-automatic recovery
service that Conti relies on to execute ransomware attacks. Threat intelligence data like this
helps enterprise executives build resilient cybersecurity defenses and protect sensitive data
from exfiltration.

2.2

Conti Ransomware

Conti ransomware (a.k.a. Hermes, Ryuk[1], Wizard Spider[9]) is a malicious program that
prevents users from accessing their data unless the victims pay a ransom. Conti automatically
scans networks for valuable targets, spreads through the network, and encrypts every
device and account it can find.
Unlike similar ransomware variants, Conti uses a ransomware-as-a-service (RaaS) business
model. The ransomware developers sell or lease their ransomware technology to affiliates,
who then use that technology to carry out attacks. This business model often includes a
digital management panel. Conti customers – affiliate threat actors – use this management
panel to create new ransomware samples, manage their victims, and collect data on their
attacks. Our investigation showed that Conti threat actors also use extortion and victim
shaming to coerce victims into paying ransoms.
Analyst Note : Victim shaming is the use of tactical use of social pressure to push
victim organizations into fulfilling ransom demands. They may threaten to release stolen
confidential data, or to email business partners and draw attention to the ransomware
attack.
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Figure 1. Conti threat actors using extortion

2.3

The RaaS Business Model

RaaS owners employ multiple affiliates who are responsible for breaking into victims’
networks and encrypting their files. These affiliates are selected mostly from forums, among
highly-skilled hackers with backgrounds in penetration testing. People may also become
affiliates if they have an established network for obtaining access to information from other
cybercriminals. In both cases, RaaS owners require references from recognized cybercriminals
before hiring affiliates.
The RaaS business model makes cybercriminal reputation essential to success. Most
affiliates send a commission between 10-30% of each ransom payment they receive to
the RaaS owners. The amount for the operators can also be automatically deducted from
the collected ransom in certain cases. RaaS owners also often provide virtual machines,
exploitation tools, and other technologies to support affiliates’ attacks. Every affiliate has an
access to a management panel where they can monitor and communicate with victims. An
affiliate panel usually includes the following tools :

• A ransomware executable generator
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ransomware decryption application
• AA separate
cryptocurrency
gateway for victims
• A commission ratepayment
• Monitoring tools forcalculator
victims and statistics
• Secure chat functionality
for victim negotiation
•
These tools are designed with non-technical users in mind. Cybercriminals no longer need a
great deal of technical expertise to run successful attack campaigns. Instead, they maximize
profit using psychological tactics like extortion and victim shaming. Moreover, affiliates are
expected to constantly attack and breach new targets. Whenever an affiliate becomes
inactive for a long period of time, RaaS owners remove that affiliate’s account, which has a
negative impact on the affiliate’s reputation.

3

Technical Analysis

Our team obtained insider data on the Conti RaaS group and its platform, including
information on its management panel and a step-by-step analysis of the Conti attack kill
chain. This section contains intelligence about the threat responsible and their affiliates.
It includes new, never-before-seen data on Conti’s active management server and the
group’s techniques, tactics and procedures (TTP).
This is valuable information that enterprises and cybersecurity vendors can use to detect
and mitigate Conti ransomware attacks. Organizations equipped with sophisticated threat
intelligence capabilities can prepare for these attacks and proactively prevent devastating
data breaches and ransomware attacks from occurring.

3.1

Conti’s History

The first indications of a unique Conti ransomware group appeared in October
2019. The group did not establish its own website until early 2020 on the address
http://fylszpcqfel7joif.onion. Since then, we’ve observed data belonging to 567 different
companies have been shared on the Conti extortion site https://continews.click and
http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion. This number
only represents victims whose names are shared on the extortion site or whose data is
shared and subsequently deleted. In addition, Conti uses another TOR hidden service for
serving the stolen victim data. As can be seen in the figure 2 data download links points to
the domain nilbxxtm5mava3k2r5vzkuuu2g4bp5wlupo3nzry3c6q5rm5sti5ktqd.onion with a
random path.
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Figure 2. Conti’s victim data download server

Based on unofficial statistics, it appears that the number of companies affected by the
Conti ransomware group is much higher than what we can see on just these websites.
Expanding its scope of influence day by day, the Conti ransomware currently uses the RaaS
affiliation model, enabling different threat actors to operate independently of one another.
The Conti team is currently deploying a ransomware variant known as Conti v3.0 to victim
systems, and development continues.
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Figure 3. Conti’s extortion blog

3.1.1

The Ryuk and Conti Connection

Based on an analysis made on ransomware samples and a comparison of bitcoin wallets
used for receiving ransom payments, there is an undeniable connection between Conti
and Ryuk ransomware teams. They may be the same team, or different teams that share
members and resources with one another. The first examples of Ryuk were published on the
https://exploit.in/, a well known underground cybercrime forum, under the name Hermes
ransomware by a russian-speaking threat actor named CryptoTech in February 2017.
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Figure 4. CryptoTech’s Hermes Share

Development of Hermes continued until version 2.1, which is released in August 2018. The
threat actor replaced the name Hermes with ”Ryuk” and begin advertising it for $300. Based
on e-mail address data and similarities between forum submissions, it’s overwhelmingly likely
that the threat actor CryptoTech developed Ryuk.
The Conti Ransomware can be understood as a continuation of Ryuk. The two ransomware
tools share similarities in their libraries and the way they spread. They even share near
perfect copy-pasted fragments of code. Both Conti and Ryuk rely on the same ransomware
payload distributors : Trickbot, Emotet and BazarLoader. These are the software packages
that do the work of actually delivering malicious ransomware files onto victim’s networks.
At the beginning of 2021, ClearSkysec [3] analyzed bitcoin ransom transactions of Conti
ransomware victims and revealed that they included a wallet address previously used by
the Ryuk ransomware gang. This confirms the connection between Ryuk and Conti, which is
now accepted as fact by the global threat intelligence community.
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Affiliate Leaks

The Conti group is currently working with an RaaS affiliate model and continues to recruit
new members to the team. However, on 05.08.2021 the Conti team suffered a data leak
which exposed internal documents, guides, training materials, and much more. This situation
is common inside the cybercriminal industry, especially among organizations that use the
affiliate business model. A user named m1Geelka shared information about the groups
leader and his assistant in a thread on the on the xss.is cybercrime forum, claiming that the
group treated him unfairly in regards to money.

Figure 5. Affiliate Leak Post

Afterwards, m1Geelka uploaded a large cache of Conti group-related data, including
training materials used by the affiliates, and shared the link to the group’s SendSpace
file-sharing site in the same post. This data contains a high volume of tactical information
about Conti, and valuable intelligence about the operations of the threat actors responsible,
such as images of the CobaltStrike servers that the Conti group actively uses.
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Figure 6. Cobaltstrike Servers Leak

Figure 7. Conti Educational Materials for Affiliates

This list of topics was included inside the leaked training materials :
to build a Cobalt Strike executable
• How
An
introduction
• techniques. to avoiding security products using compiler-based obfuscation
tutorial on using rclone to pull victim data to secure cloud storage accounts on MEGA.
• AHow
establish a remote connection to the victim’s network and gain persistence
• usingtoAnyDesk
and Atera.
How
to
connect
to hacked networks with RDP using Ngrok secure tunnel.
• A guide to performing
brute-force attacks.
• A tutorial on operatingSMB
system
and anonymizing internet traffic via Tor network.
• A how-to on privilege escalation
and gaining administrative rights inside a target
• network.
It’s important to note that many of these technologies are readily available software
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products with legitimate commercial use cases, and that cybercriminals are abusing these
technologies to attack victims :
Cobalt Strike is a commercial, full-featured, remote access tool frequently used in
cybersecurity event simulations.
rclone is a command-line program that helps users manage cloud data storage using
code.
AnyDesk and Atera are commercial remote desktop applications that provide
platform-independent remote access to personal computers and other devices.
ngrok generates an interface where users can introspect all HTTP traffic running over
specified tunnels in real-time.
Tor is an open-source web browser designed for secure, anonymous communication.

•
•
•
•
•

3.2

The Conti Attack Kill Chain

Conti ransomware is constantly changing its attack pattern on a daily basis. It relies on
up-to-date security exploits such as PrintNightmare[7] and FortiGate[10], which are known
exploits with official patches available. However, many users still have not downloaded the
appropriate patches and remain vulnerable.
PrintNightmare (CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958) works by
escalating the Windows Print Spooler service permissions to executive privileged
operations. An attacker can use this exploit to install programs ; view, change, or delete
data ; or create new accounts with full user rights.
FortiGate firewall remote code execution (CVE-2018-13379 and CVE-2018-13374) is a
buffer underwrite vulnerability that impacts Fortigate VPN servers to gain access to
enterprise networks.
Conti knows that many users don’t update their security patches very frequently. Its
affiliates count on users waiting for days or even weeks before downloading and running
security patches. With a highly automated RaaS business model like the one Conti uses,
it’s possible for attackers to compromise unpatched systems mere hours after patches get
released.
In the following sections, each step of the overall Conti attack kill chain will be explained,
including every technique, tactic, and procedure that Conti affiliates use to attack their
victims. Since Conti is a RaaS platform, every individual attack may use unique vectors and
exhibit unique behaviour – there is no one-size-fits-all Conti ransomware attack variant.

•
•

3.2.1

Target Selection

Since the RaaS service model gives affiliates a great deal of flexibility over how they choose
to operate, Conti affiliates use a wide range of target selection methods. These include :
Email phishing
Mass vulnerability scanning
High-end malware distribution software
Credential stuffing
Fake websites, impersonated phone calls, and similar social engineering tactics.
Of these target selection methods, email phishing is by far the most common. Another
common method used by Conti affiliates is mass vulnerability scanning, which relies on

•
•
•
•
•
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automated bots checking publicly exposed networks for known vulnerabilities. We have also
seen Conti affiliates using high-end Malware-as-a-Service technologies such as Trickbot,
Emotet, and BazarLoader for distributing Conti ransomware.

3.2.2

Deployment and Execution

In the example our team analyzed for this report, the attack kill chain begins with a phishing
campaign that installs the BazarLoader backdoor onto target systems.
Phishing campaigns often take advantage of Microsoft Office and Google Doc links, send via
email. Attackers use these links to redirect victims to malicious sites where they download the
BazarLoader[6] payload. At this point, the reconnaissance phase begins. The ransomware
will try to discover all directories and network shares inside the victim’s system and expand
throughout.

Figure 8. Bazarloader phishing page

Based on forensic investigations on multiple Conti victims, our Team observed that before
launching Conti ransomware, attackers often try to identify mission-critical systems like
domain controllers or backup servers. If they can find these systems early on, they can
trigger the next phase of the attack faster.
Once discovery and reconnaissance is complete, the data exfiltration phase begins. Conti
attackers evaluate the data inside the victim’s system and decide whether it is important for
the target company. If the data is important enough, attackers will start exfiltrating data to
an anonymous account on the cloud-based anonymous file upload service called MEGA.
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The tool attackers use to do this is called ”rclone”.
Once the first two stages are complete, Conti begins encrypting all files and backups
in the target system, including accessible network devices. The Conti ransomware uses
ChaCha8 encryption with randomly generated keys for each file inside the target system.
Every generated key is encrypted with a RSA-4096 public key and stored at a specific offset
of each file. These keys are used to identify the victim, manage negotiation, and eventually
generate decryption codes upon payment.
3.2.3

Demand and Negotiation

At the end of the ransomware execution phase, all important files of the victims are
encrypted, backups are deleted and a readme.txt file containing the ransom note is
dropped on the target system desktop. The Conti group uses two different ransom note
formats.
The first ransom note directs victims to https://contirecovery.best/ and
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ websites,
which contain instructions for purchasing decryption keys from Conti affiliate attackers. The
ransom note also contains instructions about installing the TOR browser in order to access
the Conti group’s hidden web service.

Figure 9. Conti ransom note inside the victim system

There is a unique victim ID value at the end of this ransom note (readme.txt). It is the string
enclosed with —BEGIN ID— and —END ID— delimiters. Victims are expected to upload their
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ransom note to the Conti’s recovery service website. Once a victim uploads a valid ransom
note, the website sends them to a chat page for negotiating with the affiliates. This type of
ransom note format carries data leakage risks for companies. The victim IDs are hard-coded
in the ransomware itself. This means that whenever malicious files are uploaded to any
malware service, or the IDs get leaked, the chat becomes accessible to anyone.
The second ransom note includes one or two Protonmail accounts. Victims are expected
to send their company information to those Protonmail mailboxes, which are operated by
Conti affiliates. Victims are recognized by victim-specific Protonmails here, just like the victim
IDs produced in the first example.

Figure 10. Conti ransom note with e-mails

As stated in 3.1, there are many similarities between Ryuk’s ransomware and Conti’s. This is
particularly evident when comparing Conti and Ryuk ransom notes. Both ransoms use a
similar structure. There are victim-specific e-mail addresses created with Protonmail and a
BTC wallet in both examples[2].
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Figure 11. Ryuk ransom note

Once the unique ID is uploaded to Conti’s recovery system, it directs victims to a login page.
On the login page, affiliates request the victim’s names and e-mail addresses. Once they
have this information, the web service provides a chat page with a standard greeting
message (Figure 1).

Figure 12. Conti main page
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At this stage, affiliates send the total captured file size and enumerated system information
to the user. This proves that the data has indeed been compromised.

Figure 13. Victim system information messages

At this point, if the attacker and victim reach an agreement, the victim sends bitcoin to
the designated address and the attacker produces a decryption key using the victim’s ID.
However, we have found evidence that some Conti affiliates simply take the money and
disappear, refusing to provide the decryption key as promised. If the attacker sends the
decryption key to the victim, the link includes a user manual 14 that shows how to use the
decryption application. All information retrieved from the victim’s systems is uploaded to
a free file sharing site where it can be deleted, and that system data is shared with the victim.
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Figure 14. Post-agreement messages

Conti affiliates will also send recommendation messages 15 telling victims how to protect
against future attacks.

Figure 15. Recommendation message

3.3

Management Panel

The PTI Team successfully gained access to several parts of Conti’s RaaS infrastructure. This
gave us cutting-edge insight into the way Conti manages its affiliates and ransomware
technology.
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We gained access to a victim landing page (recovery service) and an
admin management panel hosted as a TOR hidden service on this address :
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/.
We located the subject management panel as well /adminbdpm6p47p2ye3k5f.php, which
is mainly used for managing victims, affiliate accounts, and uploaded files.

Figure 16. Conti admin panel login page

Our threat intelligence team was also able to access a hidden service that provided key
information on the underlying technology stack Conti developers rely on. By analyzing the
source code of Conti’s recovery service and admin management panel, our team discovered
a hidden service using dockerized MySql database bound to 127.0.0.1:3327.
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Figure 17. Conti admin panel source code

The victim recovery service panel contains a submit button, where victims are supposed to
upload the readme.txt files created on their devices. We’ve highlighted the regex pattern
that detects the victim-specific ID in the figure below,18.

Figure 18. Recovery service readme.txt parser code

As the following image shows 19, every uploaded file is stored under the /files/ directory, with
a unique name and following format : MD5(current_time+random_string), which prevents file
name brute force attacks.
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Figure 19. Uploaded content hiding

3.4

De-Anonymization

One of the main objectives of our investigation was revealing the identity of the Conti
affiliates, retailers, developers and servers. Our management panel analysis revealed a
great deal of information regarding the servers that this group uses.
One of the most valuable pieces of threat intelligence we discovered is the the real IP
address of Conti’s TOR hidden service and contirecovery.ws, and 217.12.204.135, on Tuesday,
28 September 2021 21:30:03 UTC.

Figure 20. Domain definitions inside the Conti recovery service source code.

Additionaly, our team was able to identify the operating system details of the server
hosting the TOR hidden service for Conti. The host is a Debian server with host name
”dedic-cuprum-617836”. We believe the numeric value at the end of the host name is an
invoice number for the server, assigned by the hosting company ITLDC.
Linux version 4.9.0-16-amd64 (Debian 6.3.0-18deb9u1) #1 SMP Debian 4.9.272-2
(2021-07-19)
/>
Console 1. OS Details of the Conti onion server (uname -a)
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217.12.204.135 dedic-cuprum-617836.hosted-by-itldc.com dedic-cuprum-617836
/>
Console 2. Hostname Details of the Conti onion server (/etc/hosts)

The captured IP address with the corresponding timestamp have been shared with law
enforcement authorities for further legal action against the Conti group and its affiliates.
The next image shows the contents of htpasswd file of the subject host. The password hash
can be used by other researchers in future Conti investigations.
user:$apr1$7F5MK3J3$/JX4zqKicgXi3hXS57OWZ/
/>
Console 3. Htpasswd file of the Conti onion server

Throughout the analysis phase, our team constantly monitored network traffic entering and
leaving Conti’s recovery servers. This information will improve anti-ransomware software
and lead to more effective filtering and blacklisting of Conti-related traffic. We found the
following IP addresses communicating with the subject Conti server.

• 1.177.172.158
• 104.244.76.44
• 122.51.149.86
• 176.9.1.211
• 176.9.98.228
• 18.27.197.252
• 185.130.44.108
• 185.220.103.4
• 2.82.175.32
• 217.160.251.63
• 218.92.0.211
• 45.153.160.134
• 46.101.236.25
• 49.234.143.71
• 51.75.171.136
• 54.36.108.162
• 6.11.76.81
• 61.177.172.158
• 64.113.32.29
• 66.211.197.38
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root
root
root
root
root
root
root
root
root
root
root
root
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Connect With
pts/0
pts/0
pts/0
pts/0
pts/0
pts/0
pts/0
pts/0
pts/3
pts/2
pts/0
pts/0

Connected From
89.163.249.244
107.189.31.241
185.220.103.5
192.42.116.25
18.27.197.252
45.153.160.134
185.220.103.4
185.130.44.108
104.244.76.44
104.244.76.44
64.113.32.29
54.36.108.162

Login Date (GMT+3)
Wed Nov 10 14:11 - gone
Wed Nov 10 09:09 - 09:10
Mon Oct 25 15:08 - 15:50
Fri Oct 15 20:25 - 20:28
Mon Oct 4 17:47 - 17:47
Mon Sep 27 14:12 - 14:18
Mon Sep 27 09:10 - 09:13
Thu Sep 23 21:08 - 21:26
Thu Sep 23 08:04 - 08:04
Thu Sep 23 08:01 - 13:02
Wed Sep 22 13:46 - 15:40
Wed Sep 22 12:54 - 13:10

Login Activity
no logout
(00:01)
(00:42)
(00:03)
(00:00)
(00:05)
(00:03)
(00:18)
(00:00)
(05:01)
(1+01:54)
(00:16)

Table 1. Conti Hidden Server SSH Connections

By analyzing the IP addresses communicated with Conti servers, we discovered that most of
the connections originate from TOR exit nodes. Two of the IP addresses 176.9.1.211:9001 and
217.160.251.63:29001 are constantly connected to the Conti server, which could indicate that
these are TOR entry nodes used for Conti’s hidden recovery service.
During this phase of the investigation, the PTI team discovered multiple victim chat sessions
and captured login credentials for MEGA accounts used when extorting victims’ data. Our
team has revealed the connecting IP addresses, dates, the purchase method, and the
software used for accessing the file sharing and upload service.
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Figure 21. Mega account

Analyzing the MEGA account in above image 21 revealed that the threat actor created
the account using the TOR browser and made the purchase using Bitcoin. This transaction
occurred while the ransomware attack against the victim was happening. Afterwards, this
account was used with a variety of different operating systems before Conti attackers
uploaded company data to this account using the rclone 3.2.2 tool.
Table 2 contains the login application, IP address, and access date for the MEGA account
discovered by the PTI team.
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Login App
MEGAsync-on-Linux
Opera-on-Windows
Opera-on-Windows
MEGAsync-on-Windows
MEGAsync-on-Windows
MEGAsync-on-Windows
Chrome-on-Windows
Firefox-on-Windows
MEGAsync-on-Windows
rclone/v1.53.3
rclone/v1.53.3
Firefox-on-Windows

IP Address
80.147.24.162
198.98.60.19
107.189.5.68
62.216.203.221
45.128.133.242
147.135.36.162
94.242.253.13
147.135.36.162
142.4.212.27
176.98.160.187
176.98.160.187
185.193.52.180

Access Date
10/7/2021,06:03
10/6/2021,22:32
10/6/2021,20:54
10/6/2021,19:02
10/6/2021,18:38
9/23/2021,07:02
9/23/2021,07:02
9/23/2021,06:53
9/14/2021,15:45
9/13/2021,14:54
9/9/2021,14:35
9/9/2021,12:47

Table 2. Conti Full List of Mega Account Information

Our analysis of victim chat logs revealed that several other Bitcoin wallet addresses were
shared with some victims. The PTI Team is still conducting taint analysis on these wallet
addresses to detect shared spending or laundering attempts.

Figure 22. Conti threat actor giving out additional wallet addresses
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Statistics and Observations

The following graph (See Figure 23) displays changes in the number of Conti victims over a
one-year period. The victim data were gathered from the Conti extortion blog (See Figure 3
[5]).

Figure 23. Conti Victim Count

It’s clear to see that the number of victims has grown rapidly in the past year. The data
contained in this report will help law enforcement authorities act against the Conti
ransomware group and its affiliates, which should result in a drastic reduction in the number
of victims in the near future. This report will inform ongoing investigations that could lead to
the complete neutralization of Conti itself.

4.1

Known Recruiter Profiles

Ransomware groups hire affiliates from deep web and dark net forums, competing to attract
new affiliates into their network. These recruiters generally create topics in well-known
forums and discussion boards. In order to become an affiliate, one must have impressive
skills, demonstrate motivation, and provide references from reputable cybercrime figures or
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organizations.
Threat actors like the Conti team are both secretive and selective when it comes to recruiting.
They recruit members only from experienced cybercrime organizations with high reputation,
using private communication channels. The posts and forum topics of Conti recruiters often
include penetration testing job ads and tooling projects. The following example shows a
penetration test job announcement written by Conti recruiters.

Figure 24. Pentester call for application post

The relevant post was shared by a Russian-speaking threat actor named IT_Work on the
cybercriminal forum exploit.in. In the comments to the related post, IT_Work mentions that
only those who can speak Russian can be included to the team. By combining the data
gathered on the IT_Work profile and the Conti affiliate data leak 3.1.2 already mentions, the
PTI team has gathered a list of threat actors identified as members of the Conti team :
Admin
• ContiNick
: Tokyo

•
•

Jabber : cicada3301@strong.pm
Assistant
Jabber : it_work_support@xmpp.jp
Recruiter
Nick : IT_Work
Username : megabyte

This information will prove vital in helping enterprise cybersecurity teams and their vendors
identify and mitigate security threats that originate from within the Conti cybercrime network.

29 / 37
DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall
be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal
Data Protection Law. It shall be noted that PRODAFT provides this information “as is” according to its findings, without providing
any legally applicable warranty regarding completeness or accuracy of the contents. Therefore, neither this report nor any of
its contents can be used as admissible proof before legal authorities.

TLP:WHITE

5

Conti Ransomware Group - In-Depth Analysis

Money Flow

This section of the report is written by Elliptic Ltd. [8]. Elliptic is the leading provider of
crypto compliance and blockchain analysis solutions globally.

5.1

Analysis of Conti ransom payments

113 bitcoin addresses were identified by Prodaft during this investigation. 100 of these
addresses related to a single ransomware attack in which the victim requested to pay Conti
in 100 separate transactions in order to hide the payment from tax and audit authorities. As
a result, the addresses identified during this research are believed to be connected to 14
separate ransomware incidents. 50% of these attacks resulted in a payment to Conti.
Elliptic analysed the seven addresses to which ransom payments have been made. Conti
operates as a Ransomware as a Service model. RaaS transactions characteristically split as
the proceeds of each transaction is distributed between the ransomware operators and
affiliates, with the exact percentage split differing between RaaS groups. In most instances,
the affiliates are awarded the majority of the ransom payment, with the ransomware
operators taking a smaller percentage. However, on 22 September 2021, the US Cybersecurity
& Infrastructure Security Agency (CISA) issued an alert in which they described Conti’s affiliate
model as wage-based, as opposed to operating a traditional RaaS payment model.
5.1.1

Identification of consolidation cluster

Of the seven active addresses, four were found to send a percentage of their incoming
funds, either directly or indirectly, to the same address cluster (hereafter referred to as “Conti
consolidation cluster”). For three of these addresses, almost exactly 22.5% of the original
incoming funds were sent to this cluster. As a result, it appears that this consolidation cluster
may represent the operator portion of these ransomware payments.
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Figure 25. Elliptic Forensics

A further 31 incoming flows to this cluster were identified which appear to be ransomware
payments. The majority of these send between 22-23% of their incoming funds either directly
or indirectly to the Conti consolidation cluster. This common splitting pattern indicates that
Conti affiliates may be awarded a percentage of the ransoms they successfully obtain,
potentially contradicting CISA’s assessment of Conti operating a wage-based affiliate
payment model. Of interest, several further payments were identified in which the incoming
funds originate from a split of a previous ransom payment, as demonstrated in the graph
below. It is unclear whether this demonstrates an attempt to obfuscate the flow of funds, or
a payment to the Conti operator for other services.
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Figure 26. Elliptic Forensics

Researching the addresses identified by Prodaft and the incoming payments to the
consolidation cluster indicates that since July 2021, Conti has received over 500 bitcoin in
ransomware payments, valued at over $25.5 million, of which $6.2 million has been sent to
the Conti consolidation cluster.

Figure 27. Monthly ransom payments

32 / 37
DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall
be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal
Data Protection Law. It shall be noted that PRODAFT provides this information “as is” according to its findings, without providing
any legally applicable warranty regarding completeness or accuracy of the contents. Therefore, neither this report nor any of
its contents can be used as admissible proof before legal authorities.

TLP:WHITE

5.1.2

Conti Ransomware Group - In-Depth Analysis

Destination of funds : Conti operator

The consolidation cluster, believed to be controlled by a Conti operator, was first active
in December 2017 when it received one incoming payment of 1.8 bitcoin, which was later
split and sent to a variety of prominent exchanges. After this time, the consolidation cluster
was not active again until mid-2021. In August 2021, 0.07 bitcoin was sent from this cluster
to a prominent exchange known to be used by ransomware groups. Aside from this, Conti
have not attempted to cash out or exchange any of the bitcoin they have received into this
cluster. Blockchain activity indicates that the remaining 123.06 bitcoin is currently held in an
unhosted wallet.
5.1.3

Destination of funds : Conti affiliates

In addition to investigating the flow of funds into the consolidation cluster, Elliptic also
investigated the ransomware proceeds which are believed to have been sent to Conti
affiliates. One cluster was identified which has received payments from both Conti and
DarkSide, which may indicate that an individual has worked as an affiliate for both of these
groups.

Figure 28. Ransom payments over time

Conti affiliates appear to conduct a sophisticated money laundering operation, avoiding
obvious consolidation of funds. Due to the recent nature of some of these payments, some
affiliate funds have not yet been moved. Despite this, Elliptic has identified affiliate funds
being sent to a variety of services, including exchanges, coin swaps, privacy enhancing
wallets including Wasabi, and the Russian-language darknet market Hydra.
5.1.4

Identification opportunities

This research indicates that identifying individuals associated with Conti through following
the flow of funds is likely to be challenging, particularly given Conti’s sophisticated money
laundering techniques and use of services such as Wasabi wallet. Furthermore, whilst services
including exchanges implement KYC policies, it is possible that groups such as Conti deposit
and withdraw from these services in small amounts, which do not trigger KYC requirements.
However, transaction screening tools can provide financial institutions and cryptocurrency
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exchanges with the ability to identify incoming transactions from illicit sources such as
ransomware payments. Elliptic’s clients, including financial institutions and cryptocurrency
exchanges can be alerted to any client deposits which originate from addresses connected
to Conti, by using our transaction and wallet screening solutions 1 .

6

Conclusion

Bold, headline-making cyberattacks like the Colonial Pipeline attack in May 2021 showed
the world how cybercriminals can deeply impact day-to-day life for millions of people.
Enterprise executives and their risk advisors need in-depth threat intelligence in order to
mitigate these threats while minimizing the damage they cause. The work of our PTI team is
crucial towards understanding the cybercrime landscape and developing solutions that
improve enterprise resilience against cyber threats and reduce risk exposure in the event of
an attack.
In this report, we presented the inner workings of one of the most well-known ransomware
groups in the world. However, the cybercrime industry moves rapidly. Many ongoing
technological and cultural changes – like the widespread acceptance of cryptocurrency
and the ongoing shift towards remote and hybrid work – will significantly impact how
cyberattacks occur in the near future.
In order to tackle the complex challenge of disrupting cybercriminal organizations,
public and private forces need to work collaboratively with one another to better
understand and mitigate the wider legal and commercial impact of the threat. Our research
sheds much-needed light on the inner workings of cybercriminal organizations, helping
cybersecurity professionals, lawyers and insurance companies identify operatives and their
external connections when investigating security incidents.
Enterprise leaders and cybersecurity executives who invest in threat intelligence services
gain valuable insight into the unique risk profile of their organization. This kind of intelligence
enables them to make comprehensive, data-based decisions about the overall exposure of
their business e relative to real-world threat actor tactics and techniques.
If there is no choice but to negotiate, enterprises equipped with sophisticated threat
intelligence capabilities like ours stand a far better chance of gaining the upper hand
and preventing catastrophic damage to their brand, their users, and their stakeholders.

1. https://www.elliptic.co/solutions/crypto-transaction-monitoring
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